1222930 – openssl_tpm2_engine fails to build on Leap 15.6 - FAIL ../check_enhanced_auth.sh

Bug 1222930 - openssl_tpm2_engine fails to build on Leap 15.6 - FAIL ../check_enhanced_auth.sh

Summary: openssl_tpm2_engine fails to build on Leap 15.6 - FAIL ../check_enhanced_auth.sh

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	James Bottomley
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-04-16 22:20 UTC by Lubos Kocman
Modified:	2024-04-19 16:51 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lubos Kocman 2024-04-16 22:20:58 UTC

Hello

package  openssl_tpm2_engine fails to build on Leap 15.6

https://build.opensuse.org/package/live_build_log/openSUSE:Backports:SLE-15-SP6/openssl_tpm2_engine/standard/x86_64

[  304s] Engine "tpm2" set.
[  304s] TPM2_RSA_Decrypt failed with 2461
[  304s] TPM_RC_POLICY_FAIL - a policy check failed Session number 1
[  304s] Public Key operation error
[  304s] + exit 1
[  304s] FAIL ../check_enhanced_auth.sh (exit status: 1)
[  304s] 
[  304s] + exit 1
[  304s] error: Bad exit status from /var/tmp/rpm-tmp.ZOMS2J (%check)

Comment 1 James Bottomley 2024-04-17 12:49:33 UTC

Actually, that's not the cause.  From the logs this is the problem:

[  304s] 40B78F4A6A7F0000:error:0800008D:elliptic curve routines:group_new_from_name:invalid curve:crypto/ec/ec_lib.c:1500:
[  304s] 40B7D648FF7E0000:error:0800008D:elliptic curve routines:group_new_from_name:invalid curve:crypto/ec/ec_lib.c:1500:
[  304s] genpkey: Error generating EC key
[  304s] 4087D5CF7F7F0000:error:08000081:elliptic curve routines:EC_GROUP_new_by_curve_name_ex:unknown group:crypto/ec/ec_curve.c:3293:name=SM2
[  304s] FAIL ../wrap_generic_ecc.sh (exit status: 1)

Which is an openssl failure when asked to generate a key using the curve sm2 (the chinese elliptic curve).

There's always been a known problem with TPMs having more curves than openssl understands (in particular, TPMs are required to support Barreto Naehrig curves which openssl refuses to support), so all curve tests that need openssl to verify have a compatibility test that looks like:

    if openssl ecparam -name ${curve} 2>&1 | egrep '(invalid|unknown) curve'; then
	continue
    fi
 
But if you look what happens on sm2, you get

> openssl ecparam -name sm2
unable to generate key
40876EF00F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (SM2 : 0), Properties (<null>)

So openssl now knows the curve (doesn't throw an unknown curve error) but has something missing that means it can't process it correctly.

The fix is to update the compatibility check to detect this case as well.  I'll see if I can produce a patch

Comment 2 James Bottomley 2024-04-19 16:51:05 UTC

The fixes (for tests only) are in new upstream version 4.1.2 which has been submitted to factory.